iPhone and iPad security bug could let hackers look at personal details including private photos, security researchers say

Experts claim that attack could already have been used against high-profile people

Andrew Griffin
Thursday 23 April 2020 08:55 BST
Comments
Apple VP Greg Joswiak announces the new iPhone SE during an Apple special event at the Apple headquarters on March 21, 2016 in Cupertino, California
Apple VP Greg Joswiak announces the new iPhone SE during an Apple special event at the Apple headquarters on March 21, 2016 in Cupertino, California (Justin Sullivan/Getty Images)

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

A bug in iPhones and iPads could have left people at risk of having their iPhones broken into and their personal information looked at, security researchers have claimed.

Just one email could be enough to crash the phone and use that to access the sensitive data contained on it, according to the researchers.

Apple will fix the bug in its operating systems that allowed hackers to break in through its email client, the Mail app.

More than half a billion devices could have been liable to the exploit, according to the security researchers who found it.

The bug was found by San Francisco security company ZecOps while it was investigating a sophisticated attack against one of its clients, which took place at the end of last year, it claimed. The company then found evidence that it had been exploited in at least different cyber attacks, according to ZecOps chief executive Zuk Avraham.

Apple has confirmed that the major vulnerability exists in the email software and that a fix is on its way. The update will come in a new version of the operating system that will come to its iPhones and iPads.

But it did not comment on claims that the bug could be triggered with just one email, or claims that it had already been used on high-profile people. While ZecOps claimed the bug has been used as far back as 2018 by unknown hackers, that claim is yet to be independently verified.

The attack would arrive in the form of an apparently blank email, according to Mr Avraham, which when opened would cause the Mail app to crash and then reset itself. It was that apparently innocent issue that opened up the exploit for hackers, who would then be able to take photos and contact details, he said.

Mr Avraham said that the bug was found when it was used against a "Fortune 500 North American technology company", but did not say which. There was evidence it had been used against other companies in Japan, Germany, Saudi Arabia, and Israel, he said.

Avraham based most of his conclusions on data from "crash reports" which are generated when programmes fail in mid-task on a device. He was then able to recreate a technique that caused the controlled crashes.

Two independent security researchers who reviewed ZecOps' discovery found the evidence credible, but said they had not yet fully recreated its findings.

Patrick Wardle, an Apple security expert and former researcher for the U.S. National Security Agency, said the discovery "confirms what has always been somewhat of a rather badly kept secret: that well-resourced adversaries can remotely and silently infect fully patched iOS devices".

Because Apple was not aware of the software bug until recently, it could have been very valuable to governments and contractors offering hacking services. Exploit programs that work without warning against an up-to-date phone can be worth more than $1 million.

While Apple is largely viewed within the cybersecurity industry as having a high standard for digital security, any successful hacking technique against the iPhone could affect millions due to the device's global popularity. In 2019, Apple said there were about 900 million iPhones in active use.

Bill Marczak, a security researcher with Citizen Lab, a Canada-based academic security research group, called the vulnerability discovery "scary".

"A lot of times, you can take comfort from the fact that hacking is preventable," said Marczak. "With this bug, it doesn't matter if you've got a PhD in cybersecurity, this will eat your lunch."

Additional reporting by Reuters

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in